DEPRECATION WARNING
This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.
EXT: EXT:Security¶
| Author: | Kasper Skårhøj |
|---|---|
| Created: | 2002-11-01T00:32:00 |
| Changed by: | Bernhard Kraft |
| Changed: | 2008-10-20T10:26:50 |
| Author: | Kraft Bernhard |
| Email: | kraftb@kraftb.at |
| Info 3: | |
| Info 4: |
EXT: EXT:Security¶
Extension Key: ext_security
Copyright 2000-2002, Kraft Bernhard, <kraftb@kraftb.at>
This document is published under the Open Content License
available from http://www.opencontent.org/opl.shtml
The content of this document is related to TYPO3
- a GNU/GPL CMS/Framework available from www.typo3.com
Table of Contents¶
EXT: EXT:Security 1
Introduction 1
What does it do? 1
Administration 1
Configuration 2
Possible errors 2
Known problems 2
To-Do list 3
Changelog 3
Introduction¶
What does it do?¶
This extension tries to raise the security level of TYPO3 and installed extension by various concepts. Currently only one of those concepts is implented: FE database security.The extension simply requires you have set a different database-user for FE and BE. The FE database use requires to have a trimmed down access policy in mysql - allowing this user only read access to most TYPO3 tables, and write access only to specially defined tables which require write access even from the FE. This protects your TYPO3 installation from third party extensions which are vulnerable to SQL injections.
Administration¶
When installing the extension via the Extension Manager you are required to fill in the username and password of a mysql database user, which will get used for FE database queries. So you are not allowed to use the same username as set in the Install Tool when installing TYPO3.
As soon as you have set this username/password combination you will see a red message stating:
“The given FE database-username "t3_kicks" has inappropriate rights!”
and an additional message stating:
“Cannot connect to database using supplied credentials!”
This is because you have to create a mysql-database user with the supplied username/password combination an appropriate access rights. Right below those messages between two horizontal-lines you have a block of SQL queries, which have to get executed in the mysql shell with a mysql-root user, creating the required database-user and grantin appropriate access rights. The block will look something like:
GRANT SELECT, LOCK TABLES ON `t3_kickstarter`.`*` TO `t3_kicks`@`localhost` IDENTIFIED BY 'kicks';
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`cache_hash` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`cache_imagesizes` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`cache_md5params` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`cache_pages` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`cache_pagesection` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`cache_typo3temp_log` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`fe_session_data` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`fe_sessions` TO `t3_kicks`@`localhost`;
GRANT DELETE, INSERT, UPDATE ON `t3_kickstarter`.`fe_users` TO `t3_kicks`@`localhost`;
Those statements will create the appropriate user, assign a password, and grant required rights. Do NOT copy the above block, Copy&Paste those shown in your Extension Manager.
As soon as those access rights have been set, the FE is secured by tightening the access rights of the database object while in FE context. It will not have any influence on the BE.
Configuration¶
Only a small set of tables will be allowed for write access from the FE. Those tables are listed in the option:
Writeable tables [tablesWrite]
It may be possible that extension on your website require more tables to be writeable. For example if you have a guestbook, a voting or bloggin extension, or a mailing extension installed, which writes data to their tables, you will have to add the name of those tables to this comma separated list.
Of course it is not allowed to add tables like “be_users” to this list. In such a case you will get an error message when calling any page in the FE. If one of your extension REALLY requires to write a table like “be_users” you will have to manually remove this table from the class member variable “tables_denyWrite” in the class in file “class.tx_extsecurity_tsfeHook.php”.
Possible errors¶
There are some error messages defined for this extension. Those get listed here with some clues how you can solve them.
Occures in¶
a
Occures in
b
Error message
c
Solution
BE¶
a
BE
b
Cannot connect to database using supplied credentials!
c
Input the username/password connection of a valid mysql database user or create the username/password combination you have set in the Extension manager.
BE¶
a
BE
b
Cannot select database “xxxxxx!”
c
The database user you have set, does not have appropriate rigths to use the database of the TYPO3 installation. Set appropriate acces rights using the mysql shell.
BE¶
a
BE
b
- Table "xxxxx" should be writable!
- Table "xxxxx" is not allowed to be writeable!
- Table "xxxxx" should be writeable!
c
Those errors get shown in the BE, when you did not grant proper access rights to the FE-database user. Copy&paste the grant/revoke block shown in the EM to a mysql shell where you are logged in as a database user having grant-privileges.
FE¶
a
FE
b
ext_security: You allowed FE-write access to some special tables which should not be writeable from the BE except in very special cases. You have to allow write to those tables manually. See manual for more information. The tables concerend are: xxxx
c
This message appears if you try to give write access to special tables very important to security like “be_users” . If you really would like to give access to those tables remove them from the class member variable “tables_denyWrite” in the class file “class.tx_extsecurity_tsfeHook.php”
FEBE¶
a
FEBE
b
ext_security: FE and BE database users are the same. This is not allowed. See manual for more information!
FE database-username has to be different from BE database-username set in the install tool !!!
c
If you set the same username for FE/BE database access this message will appear. Create a different user for FE database access and set it via the extension manager in the configuration for ext_security.
FE¶
a
FE
b
ext_security: The FE database user you have selected has inappropriate rights. See manual for more information!
c
If the database user you have set/created has too much or too few access rights. Simply copy&paste the grant/revoke block shown between the <hr> horizontal lines, and paste it into a mysql shell of a mysql user having grant-privileges
FE¶
a
FE
b
The current FE-username, FE-password or host was not accepted when the connection to the database was attempted to be established! A databse security extension is installed. Check if required FE username/password combinations have been configured!
c
Username/Password credentials are not set properly in the extension manager.
Known problems¶
Probably there are some. None are known to me currently.
To-Do list¶
- Find a way to deny “read” access to tables like “be_users” while in FE context.
- Find other ways to tighten security of TYPO3.
Changelog¶
Version¶
a
Version
b
Release Date
c
Changelog
0.0.1¶
a
0.0.1
b
2008-10-18 / 20:10 CET
c
Initial release
0.0.2¶
a
0.0.2
b
2008-10-18 / 20:20 CET
c
Small bugfix right after release
0.0.3¶
a
0.0.3
b
2008-10-20 / 10:30 CET
c
- Created an extension icon
- Created documentation for the source code
- Implemented caching for grant privileges
EXT: EXT:Security - 3